堆栈内存溢出
  简体   繁体   English

SP启动的SSO和IDP启动的SSO之间的SAML响应差异

[英]SAML reponse difference between SP initiated SSO and IDP initiated SSO

 原文  2019-08-16 10:39:49       single-sign-on/ saml

问题描述

How to tell from a SAML response if it's a SP initiated SSO or an IDP initiated SSO? 如何从SAML响应中分辨出它是SP发起的SSO还是IDP发起的SSO? Is there an attribute which tells me who initiated the SSO? 是否有一个属性可以告诉我谁发起了SSO?

For example in this StackOverflow Question: Differences between SP initiated SSO and IDP initiated SSO they discuss the differences but they don't talk about the XML level itself... 例如在以下StackOverflow问题中: SP发起的SSO与IDP发起的SSO之间的差异,他们讨论了差异,但是他们没有谈论XML级别本身。

The SAML response looks like this: SAML响应如下所示: 

<samlp:Response xmlns:samlp ="urn:oasis:names:tc:SAML:2 .0 :protocol" Destination ="http: //my - sp . com /sso /saml" ID ="_45307c23795120" IssueInstant ="2014 -03 -07 T08:30:00Z" Version ="2.0">
    <saml:Issuer xmlns:saml ="urn:oasis:names:tc:SAML:2 .0 :assertion">http: //my - idp . com </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value ="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ID ="ebe015e8be2a" IssueInstant="2014-03-07T08:30:00Z" Version ="2.0">
        <saml:Issuer> http: //my - idp . com </saml:Issuer>
        <ds:Signature xmlns:ds ="http: //www . w3 . org /2000/09/xmldsig #">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm ="http: //www . w3 . org /2001/10/xml - exc - c14n #"/>
                <ds:SignatureMethod Algorithm ="http: //www . w3 . org /2000/09/ xmldsig # rsa - sha1"/>
                <ds:Reference URI ="# ebe015e8be2a">
                    <ds:Transforms>
                        <ds:Transform Algorithm ="http: //www . w3 . org /2000/09/ xmldsig # enveloped - signature"/>
                        <ds:Transform Algorithm ="http: //www . w3 . org /2001/10/xml - exc - c14n #"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm ="http: //www . w3 . org /2000/09/ xmldsig # sha1"/>
                    <ds:DigestValue> ... </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue> ... </ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate> ... </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format ="urn:oasis:names:tc:SAML:2 .0 :nameid - format:persistent" NameQualifier ="http: //my - idp . com" SPNameQualifier ="http: //my - sp . com /sso /saml"> NDSUser </saml:NameID>
            <saml:SubjectConfirmation Method ="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter ="2014 -03 -07 T10:45:00Z" Recipient ="http: //my - sp . com /sso /saml"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore ="2014 -03 -07 T08:29:00Z" NotOnOrAfter="2014 -03 -07 T10:46:00Z">
            <saml:AudienceRestriction>
                <saml:Audience> http: //my - sp . com /sso /saml </saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2014 -03 -07 T08:25:56Z" SessionIndex="f7810a8c86a6">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2 .0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name ="FEDERATION_ID">
                <saml:AttributeValue xmlns:xs ="http: //www . w3 . org /2001/XMLSchema" xmlns:xsi ="http: //www . w3 . org /2001/XMLSchema - instance" xsi:type ="xs:string"> NDS </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

1 个解决方案

解决方案1
 1 已采纳  2019-08-16 17:59:23

来自SP发起的SSO流的SAML响应具有“ InResponseTo”属性。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SP发起的单点登录和IDP发起的单点登录的区别 - Differences between SP initiated SSO and IDP initiated SSO sp启动saml sso身份验证 - sp initiated saml sso authentication 从 SP 发起的 SSO 转换为 IdP 发起的 SSO - Converting from SP initiated SSO to IdP initiated SSO IDP为Spring SAML扩展启动了SSO - IDP initiated SSO for Spring SAML Extension SP与IdP的澄清启动了SSO - Clarification on SP vs IdP initiated SSO IdP 使用 SimplesamlPHP 发起 SSO - IdP initiated SSO with SimplesamlPHP SAML SSO 不确定用户如何访问受 IDP 发起的 SAML 的受保护 SP 页面 - SAML SSO Unsure how a user gets to the protected SP page for IDP initiated SAML 使用Sp发起的sso在PingFederate(IDP)OpenAM(SP)之间传递RelayState - Passing RelayState between PingFederate(IDP) OpenAM (SP) with Sp-initiated sso SP 发起的 SAML SSO 的实际流程,包括所有组件,即 IDP、SP 客户端和 SP 服务器端 - Actual flow of SP initiated SAML SSO that includes all the components ie IDP, SP client side and SP server side 将站点从SP启动的SSO重定向POST转换为IdP启动的SSO POST - Convert site from SP-Initiated SSO Redirect POST to IdP-Initiated SSO POST
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM